Integrated circuit device, information processing apparatus, memory management method for information storage device, mobile terminal apparatus, semiconductor integrated circuit device, and communication method using mobile terminal apparatus

ABSTRACT

A memory region on an IC card has a hierarchical structure. Each application allocated on the memory region is registered in a directory, and the memory region is managed in directory units. A personal identification code is set for each application and directory, and the access right is controlled in application units or directory units. If a mobile terminal is lost, the right to access each application in the IC card automatically disappears. Therefore, the right to access each application allocated to the memory region on the IC card is efficiently controlled.

The present invention relates to information storage media with memoryregions, IC chips with memory regions, information processingapparatuses having the IC chips with the memory regions, and memorymanagement methods for the information storage media, and particularlyrelates to an information storage medium for use by being placed in aninformation processing apparatus such as a cellular phone or a PDA(Personal Digital Assistant), an IC chip with a memory region, aninformation processing apparatus having the IC chip with the memoryregion, and a memory management method for the information storagemedium.

More particularly, the present invention relates to an informationstorage medium in which one or more applications are allocated to amemory region, an IC chip with a memory region, an informationprocessing apparatus having the IC chip with the memory region, and amemory management method for the information storage medium, and moreparticularly relates to an information storage medium for controllingthe right to access each application allocated to a memory region, an ICchip with a memory region, an information processing apparatus havingthe IC chip with the memory region, and a memory management method forthe information storage medium.

The present invention also relates to a mobile terminal having an ICchip placed therein, which is driven by receiving power using wirelesscommunication with an external apparatus, and to an IC card for use inconjunction with the mobile terminal, and more particularly relates to amobile terminal having an IC chip placed therein, which is driven byreceiving power using wireless communication with an external apparatusand which has a memory function, a control method therefor, and an ICcard with a memory function.

More particularly, the present invention relates to a mobile terminal inwhich one or more applications are allocated to a memory region on an ICchip, a control method therefor, and an IC card in which one or moreapplications are allocated to a memory region, and more particularlyrelates to a mobile terminal for controlling the right to access eachapplication allocated to a memory region on an IC chip in applicationunits, a control method therefor, and an IC card for controlling theright to access each application allocated to a memory region inapplication units.

BACKGROUND OF THE INVENTION

Various apparatuses using a personal identification number or passwordfor identification and authentication have been devised and put intopractical use. (In general, the term “personal identification number”refers to a character string represented by a combination of numeralsfrom 0 to 9, and the term “password” refers to a character stringrepresented using numerals and general characters such as alphabet. Inthis specification, a set of a personal identification number andpassword may also be referred to as a “personal identification code(PIC)”.)

For example, when a user wants to use an automatic teller machine (ATM)card at a bank or other financial institution, the user is prompted by acash dispenser or the like to enter a personal identification number orpassword as means of identification. After it is confirmed that the userhas entered the correct personal identification number or password, theuser can draw money from the cash dispenser.

Other applications for the personal identification code include enteringa personal identification code at a safety box placed at anaccommodation facility such as a hotel, entering a password when logginginto a computer, and concealing information on an information terminal.

A storage medium such as a magnetic stripe on a known ATM card for abank has a storage region for use solely in that bank. Entering theabove-described personal identification number or password merelyaccesses the single storage region. The user is thus required to preparecards for individual objectives or purposes and separately use theplural cards.

Recently, contactless IC cards have become widely used. For example, anIC card reader/writer placed at a cash dispenser, the entrance to aconcert hall, or the ticket gate of a station accesses an IC card heldthereabove in a contactless manner. The user inputs a personalidentification number or password to the IC card reader/writer, and theinput personal identification number or password is checked against apersonal identification number or password stored on the IC card, thusperforming identification or authentication between the IC card and theIC card reader/writer. When the identification or authenticationsucceeds, for example, the use of an application stored in the IC cardis permitted. One possible type of application stored in the IC card isvalue information, such as electronic money or an electronic ticket.

Due to the improvement of miniaturization technology, IC cards withrelatively high-capacity storage spaces have appeared and been widelyused recently. Since known ATM cards only have a single storage region,that is, a single application, the user is required to carry a pluralityof cards in accordance with objectives or purposes. In contrast, an ICcard with a high-capacity memory stores a plurality of applications atthe same time. A single IC card thus serves a plurality of purposes. Forexample, a single IC card stores two or more applications, such aselectronic money for conducting electronic transactions and anelectronic ticket for entering a specific concert hall. This single ICcard serves various purposes.

When such an IC card with a high-capacity memory function (or asemiconductor IC chip with a data carrier function and/or anauthentication function) is placed on a mobile terminal such as acellular phone, a user having the mobile terminal is allowed to exchangeelectronic value information with the outside world, such as conductingan electronic transaction.

Since known ATM cards have only a single purpose (as described above), amagnetic stripe on each ATM card has a single personal identificationnumber or password to manage the security of the entire card.

In contrast, IC cards with memory functions capable of storing aplurality of applications and mobile terminals having such IC cards (orIC chips) placed therein are required to control the right to accesseach application because, when a single personal identification code isused to open access to all applications on the IC card, the security incase of loss or theft of the IC card is greatly degraded.

As a memory region placed on the IC card expands due to progress in themanufacturing technology, more numerous applications are allocated tothe memory region on the IC card. When the applications are simplyallocated to the memory region, the application arrangement becomescomplicated for the user, and the user has difficulty in classifying andorganizing the applications on the memory region.

In a case in which the right to access the applications is controlled byindividual personal identification codes, when the user wants to use aplurality of correlated applications in a series of transactions, theuser is required to sequentially input personal identification codes inthe same transactions. As a result, the operability of the apparatus isgreatly degraded.

It is an object of the present invention to provide an improvedinformation storage medium with a memory region, an IC chip with amemory region, an information processing apparatus having the IC chipwith the memory region, and a memory management method for theinformation storage medium.

It is another object of the present invention to provide an improvedinformation storage medium for use by being placed on an informationprocessing apparatus such as a cellular phone or a PDA (Personal DigitalAssistant), an IC chip with a memory region, an information processingapparatus having the IC chip with the memory region, and a memorymanagement method for the information storage medium.

It is yet another object of the present invention to provide an improvedinformation storage medium in which one or more applications areallocated to a memory region, an IC chip with a memory region, aninformation processing apparatus having the IC chip with the memoryregion, and a memory management method for the information storagemedium.

It is a further object of the present invention to provide an improvedinformation storage medium for controlling the right to access eachapplication allocated to a memory region, an IC chip with a memoryregion, an information processing apparatus having the IC chip with thememory region, and a memory management method for the informationstorage medium.

It is another object of the present invention to provide an improvedinformation storage medium for efficiently managing a plurality ofapplications allocated to a memory region, an IC chip with a memoryregion, an information processing apparatus having the IC chip with thememory region, and a memory management method for the informationstorage medium.

SUMMARY OF THE INVENTION

In view of the foregoing objects, according to a first aspect of thepresent invention, an integrated circuit device or a memory managementmethod for an information storage device is provided including memoryallocating means or step for allocating a memory region to eachapplication;

-   -   personal identification code setting means or step for setting,        for each application allocated to the memory region, a personal        identification code for controlling the right to access each        application; and    -   accessibility/inaccessibility managing means or step for        managing each application allocated to the memory region to be        accessible/inaccessible,    -   wherein the accessibility/inaccessibility managing means or step        sets each application for which the personal identification code        is set to be inaccessible in a default setting, and, in response        to the fact that the personal identification code input from a        user matches the set personal identification code, the        accessibility/inaccessibility managing means or step sets the        corresponding application to be accessible.

The integrated circuit device according to the first aspect of thepresent invention is provided in the form of, for example, an IC chip. Acartridge which has the IC chip with an antenna and which is formed inthe size of a credit card is generally referred to as an “IC card”. TheIC chip is used by being embedded in a mobile terminal such as acellular phone or a PDA or in other information processing apparatuses.The IC card may be used by being inserted into an information processingapparatus. Applications for the IC chip or IC card include functionsrelated to value information, such as prepaid electronic money or anelectronic ticket. In the following description, the functions providedby the IC chip or IC card may also be referred to “applications”.

By allocating the memory region to each application in a hierarchicalmanner using directories, the memory allocating means or step managesthe memory space in the IC card arranged as a hierarchical structure.Accordingly, correlated applications, such as a plurality ofapplications used in a series of transactions, are stored in the samedirectory to enable the user to efficiently classify and organize theapplications.

When an external apparatus has a card reader, the external apparatus canaccess the IC chip via a wireless interface. The right to access thememory region in the IC chip or the like is controlled by matching ofpersonal identification codes. A personal identification code may beinput using an information processing apparatus having embedded thereinthe IC chip to disengage the lock. Subsequently, a wireless link may beestablished, and access to the memory region may be permitted.Alternatively, after a wireless link between the IC chip in theinformation processing apparatus and the external apparatus isestablished, the access right is controlled on the basis of a personalidentification code input using the external apparatus.

In such a case, the personal identification code setting means or stepmay set, for each application and directory, the personal identificationcode for controlling the right to access each application and directory.The accessibility/inaccessibility managing means or step may set eachapplication and directory for which the personal identification code isset to be inaccessible in the default setting, and, in response to thefact that the personal identification code input from the user matchesthe set personal identification code, the accessibility/inaccessibilitymanaging means or step may set the corresponding application ordirectory to be accessible.

In response to the fact that the personal identification code input fromthe user matches the personal identification code set for one of thedirectories, the accessibility/inaccessibility managing means or stepmay set all applications and sub-directories under the directory to beaccessible.

According to the integrated circuit device and the memory managementmethod for the information storage device according to the first aspectof the present invention, the memory space has a hierarchical structure.By allocating a directory to each application, the applications areefficiently managed in directory units.

For example, highly-correlated applications, such as those used in aseries of transactions, are registered in the same directory (andhighly-correlated sub-directories are registered in the same directory).Accordingly, the application and directory arrangement in the memoryregion is well organized, and the user can efficiently classify andorganize the applications.

According to the integrated circuit device and the memory managementmethod for the information storage device according to the first aspectof the present invention, in addition to setting the personalidentification code for each application, the personal identificationcode can be set for each directory. In addition to controlling theaccess right in application units, the access right can be efficientlycontrolled in directory units.

For example, the user inputs a personal identification codecorresponding to a directory. The input personal identification code ischecked and authenticated, and the user is thus given the right toaccess all applications (and sub-directories) in the directory. Forexample, the user obtains the right to access all applications used in aseries of transactions by inputting a personal identification code forthe corresponding directory once. Access control is thus efficientlyperformed, and the operability of the apparatus is thus improved.

The integrated circuit device or the memory management method for theinformation storage device according to the first aspect of the presentinvention may further include private key setting means or step forsetting, for each application and directory allocated to the memoryregion, a private key for authentication. In such a case, theaccessibility/inaccessibility managing means or step may set theinaccessible application or directory to be accessible when theinaccessible application or directory is mutually authenticated by apredetermined certificate authority using the private key.

The integrated circuit device or the memory management method for theinformation storage device may further include access denying means orstep for causing each accessible application and directory to beinaccessible in response to cutting off the power to the integratedcircuit device or the information storage device.

When the IC card is lost or stolen, the user may suffer from damagesince the applications and directories may be used without permission orfraudulently. According to the first aspect of the present invention,access to all applications and directories is automatically denied inresponse to cutting off the power to the IC card. In case of loss of ICcard, the IC card is prevented from being maintained as accessible andfrom being used fraudulently by a malicious user.

The integrated circuit device or the memory management method for theinformation storage device may include number-of-input-failure storingmeans or step for storing the number of failures of input of thepersonal identification code for each application and directoryallocated to the memory region; andmaximum-permissible-number-of-input-failure setting means for settingthe maximum permissible number of failures of input of the personalidentification code for each application and directory allocated to thememory region. In such a case, the accessibility/inaccessibilitymanaging means or step may set the application or directory in which thenumber of input failures has reached the maximum permissible number ofinputs to be inaccessible.

The integrated circuit device or the memory management method for theinformation storage device may include number-of-input-failureinitializing means or step for clearing the number of input failuresstored in the number-of-input-failure storing means or step by a managermutually authenticated by a predetermined certificate authority.

According to a second aspect of the present invention, a mobile terminalapparatus is provided including:

-   -   a semiconductor integrated circuit device having a memory        region;    -   one or more applications allocated to the memory region, wherein        the right to access each application is controlled by a personal        identification code;    -   a wireless interface for enabling the semiconductor integrated        circuit device to perform wireless communication with an        external apparatus;    -   a wired interface for performing wired communication with the        semiconductor integrated circuit device;    -   user input means for inputting, from a user, the personal        identification code and other data;    -   checking means for transferring the personal identification code        input from the user input means via the wired interface to the        semiconductor integrated circuit device and for checking the        personal identification code with a personal identification code        for each application allocated to the memory region; and    -   access-right control means for giving, as a result of checking        by the checking means, a right to the user to access the        application in which the personal identification codes match        each other.

The term mobile terminal apparatus here indicates an informationprocessing apparatus, such as a cellular phone or a PDA (PersonalDigital Assistant), which is small and light enough to be carried by theuser. Also, the term semiconductor integrated circuit device indicatesan IC chip with an authentication function for implementing the accessoperation.

The IC chip placed on the mobile terminal apparatus according to thesecond aspect of the present invention includes a wireless interface forestablishing a wireless link with an external apparatus such as areader/writer and a wired interface for establishing an internalconnection with a controller of the mobile terminal having the IC chip.In response to establishment of a wireless link with the reader/writer,the IC chip can be activated by electromagnetic waves sent from thereader/writer.

The IC chip placed on the mobile terminal apparatus according to thesecond aspect of the present invention includes the memory region. Oneor more applications are allocated to the memory region. The right toaccess each application is controlled by the personal identificationcode such as a personal identification number or password. The termapplication here includes value information, such as electronic money oran electronic ticket.

When a wireless link with the external apparatus such as thereader/writer is established, a personal identification code input usingthe reader/writer may be input to the IC chip via the wirelessinterface. A personal identification code input from a user input unitsuch as a keyboard of the mobile terminal apparatus may be input to theIC chip via the wired interface. The personal identification code inputvia the wireless interface or the wired interface is checked against thecorrect personal identification code, and the right to access thecorresponding application is given if the personal identification codesmatch each other.

According to the second aspect of the present invention, a personalidentification code for a desired application is input using the mobileterminal apparatus. The mobile terminal is held towards the externalapparatus such as the reader/writer, and hence the application can beused using the external apparatus (such as conducting an electronictransaction). Accordingly, the user can input a personal identificationcode using the user's mobile terminal the user is familiar with, insteadof using a user interface of the external apparatus the user isunfamiliar with, and the input personal identification code is thuschecked. In other words, a personal identification code may be inputusing the information processing apparatus having the IC chip embeddedtherein to disengage the lock. Subsequently, a wireless link may beestablished with the external apparatus, thus permitting access to thememory region. Needless to say, after a wireless link between the ICchip in the information processing apparatus and the external apparatusis established, the access right may be controlled on the basis of apersonal identification code input using the external apparatus.

The access-right control means may permit the external apparatus toaccess the application for which the access right is given via thewireless interface using wireless communication.

In response to detecting no electromagnetic waves from the externalapparatus connected via the wireless interface, the access-right controlmeans may determine that a series of transactions related to theapplication for which the access right is given has terminated andperforms transaction termination processing. As a result, after beingused, the IC chip is not maintained in a state in which each applicationis accessible. For example, when the mobile terminal apparatus is lostor stolen, unauthorized use of the application is prevented. The user isthus prevented from suffering from unauthorized use or theft of valueinformation such as electronic money.

In response to receiving no response within a predetermined period oftime in response to a command sent from the IC chip via the wirelessinterface, the access-right control means may determine that a series oftransactions between the external apparatus and the IC chip, which areconnected with each other via the wireless interface, has terminatednormally or abnormally and may perform termination processing. As aresult, after the wireless link with the external apparatus is broken,the IC chip is not maintained in a state in which each application isaccessible. For example, when the mobile terminal apparatus is lost orstolen, unauthorized use of the application is prevented. The user isthus prevented from suffering from unauthorized use or theft of valueinformation such as electronic money.

The mobile terminal apparatus according to the second aspect of thepresent invention may further include personal identification coderegistering means for registering in advance the personal identificationcode for each application; program activating means; and personalidentification code input means for inputting the personalidentification code for the corresponding application in accordance withthe activated program to the IC chip via the wired interface. In such acase, the user selects a desired program from a menu screen displayed onthe display, and the corresponding program is called to the mobileterminal. In response to the activated program, a personalidentification code for the corresponding application is input to the ICchip via the wired interface, and the right to access the application isthus given. The user can omit the inputting of a personal identificationcode for a desired application, and operability is improved.

In response to being connected to the external apparatus via thewireless interface and thus receiving power, the IC chip may notify viathe wired interface of the necessity to input the personalidentification code for accessing the memory region on the IC chip. Inresponse to the notification, the mobile terminal having the IC chipdisplays a dialog on a display or emits a beep to prompt the user.Accordingly, the user is reliably reminded of the necessity to input apersonal identification code when the user holds the mobile terminalabove the external apparatus such as the reader/writer to use theapplication. Application use in every aspect of the user's everyday lifeis thus facilitated.

According to a third aspect of the present invention, a communicationmethod using a mobile terminal apparatus having a semiconductorintegrated circuit device which has a memory region and whichcommunicates with an external apparatus is provided.

The mobile terminal apparatus includes a wireless interface for enablingthe semiconductor integrated circuit device to perform wirelesscommunication with the external apparatus and a wired interface forperforming wired communication with the semiconductor integrated circuitdevice in the mobile terminal apparatus.

One or more applications is allocated to the memory region, wherein theright to access each application is controlled by a personalidentification code. The communication method includes:

-   -   a user input step of inputting, from a user, the personal        identification code;    -   a sending step of sending the personal identification code input        in the user input step via the wired interface to the        semiconductor integrated circuit device;    -   a checking step of checking the personal identification code        input in the user input step against a personal identification        code for each application allocated to the memory region; and    -   an access-right control step of giving, as a result of checking        in the checking step, a right to the user to access the        application in which the personal identification codes match        each other.

The semiconductor integrated circuit device placed on the mobileterminal apparatus according to the third aspect of the presentinvention is formed of, for example, an IC chip. The IC chip includes awireless interface for establishing a wireless link with an externalapparatus such as a reader/writer and a wired interface for establishingan internal connection with a controller of the mobile terminalapparatus having the IC chip. In response to establishment of a wirelesslink with the reader/writer, the IC chip is activated by electromagneticwaves sent from the reader/writer.

The semiconductor integrated circuit device placed on the mobileterminal apparatus according to the third aspect of the presentinvention has the memory region of relatively high capacity. One or moreapplications are allocated to the memory region. The right to accesseach application is controlled by the personal identification code suchas a personal identification number or password. The term applicationhere includes value information, such as electronic money or anelectronic ticket.

When a wireless link with the external apparatus such as thereader/writer is established, a personal identification code input usingthe reader/writer may be input to the IC chip via the wirelessinterface. A personal identification code input from a user input unitsuch as a keyboard of the mobile terminal apparatus may be input to theIC chip via the wired interface. The personal identification code inputvia the wireless interface or the wired interface is checked against thecorrect personal identification code, and the right to access thecorresponding application is given if the personal identification codesmatch each other.

According to the third aspect of the present invention, a personalidentification code for a desired application is input using the mobileterminal apparatus. The mobile terminal is held towards the externalapparatus such as the reader/writer, and hence the application can beused using the external apparatus (such as conducting an electronictransaction). Accordingly, the user can input a personal identificationcode using the user's mobile terminal the user is familiar with, insteadof using a user interface of the external apparatus the user isunfamiliar with, and the input personal identification code is thuschecked.

In the access-right control step, the external apparatus may bepermitted to access the application for which the access right is givenvia the wireless interface using wireless communication.

In the access-right control step, in response to detecting noelectromagnetic waves from the external apparatus connected via thewireless interface, it may be determined that a series of transactionsrelated to the application for which the access right is given hasterminated, and transaction termination processing may be performed. Asa result, after being used, the semiconductor integrated circuit deviceis not maintained in a state in which each application is accessible.For example, when the mobile terminal apparatus is lost or stolen,unauthorized use of the application is prevented. The user is thusprevented from suffering from unauthorized use or theft of valueinformation such as electronic money.

In the access-right control step, in response to receiving no responsewithin a predetermined period of time in response to a command sent fromthe IC chip via the wireless interface, it may be determined that aseries of transactions between the external apparatus and the IC chip,which are connected with each other via the wireless interface, hasterminated normally or abnormally, and termination processing may beperformed. As a result, after the wireless link with the externalapparatus is broken, the IC chip is not maintained in a state in whicheach application is accessible. For example, when the mobile terminalapparatus is lost or stolen, unauthorized use of the application isprevented. The user is thus prevented from suffering from unauthorizeduse or theft of value information such as electronic money.

The communication method using the mobile terminal apparatus accordingto the third aspect of the present invention may further include apersonal identification code registering step of registering in advancethe personal identification code for each application; a programactivating step; and a personal identification code input step ofinputting the personal identification code for the correspondingapplication in accordance with the activated program to thesemiconductor integrated circuit device via the wired interface. In sucha case, the user selects a desired program from a menu screen displayedon the display, and the corresponding program is called to the mobileterminal. In response to the activated program, a personalidentification code for the corresponding application is input to thesemiconductor integrated circuit device via the wired interface, and theright to access the application is thus given. In such a case, the usercan omit the inputting of a personal identification code for a desiredapplication, and operability is improved.

The communication method using the mobile terminal apparatus may furtherinclude a notification step of notifying, in response to the fact thatthe semiconductor integrated circuit device is connected to the externalapparatus via the wireless interface and thus receives power, of thenecessity to input the personal identification code for accessing thememory region via the wired interface. In response to the notification,the mobile terminal apparatus having the IC chip displays a dialog on adisplay or emits a beep to prompt the user. Accordingly, the user isreliably reminded of the necessity to input a personal identificationcode when the user holds the mobile terminal above the externalapparatus such as the reader/writer to use the application. Applicationuse in every aspect of the user's everyday life is thus facilitated.

Further objects, features, and advantages of the present invention willbecome apparent from a more-detailed description of the preferredembodiments of the present invention with reference to the attacheddrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram schematically showing the hardware configuration ofa mobile terminal 10 according to an embodiment of the presentinvention.

FIG. 2 is a conceptual diagram showing the mechanism of wirelesscommunication between a reader/writer and an IC chip 50 based onelectromagnetic induction.

FIG. 3 is a model diagram of a system formed of the reader/writer 101and the IC chip 50, the system serving as a transformer.

FIG. 4 is a block diagram showing the internal functional configurationof the IC chip 50 embedded in the mobile terminal 10 according to afirst embodiment of the present invention.

FIG. 5 is a diagram schematically showing an example of theconfiguration of a memory space in a memory 52 shown in FIG. 4.

FIG. 6 is a diagram schematically showing the data structure of apersonal identification code defining region.

FIG. 7 is a flowchart showing a process of controlling the right toaccess a directory or application in accordance with a personalidentification code input from a user.

FIG. 8 is a flowchart showing a process of controlling the right toaccess a directory or application using a private key instead of thepersonal identification code input from the user.

FIG. 9 is a flowchart showing a process of controlling the right toaccess an application or directory on the basis of the number offailures of input of the personal identification code.

FIG. 10 is a diagram schematically showing the mechanism forautomatically causing an access-permitted memory region to beinaccessible by cutting off the power supply.

FIG. 11 is a diagram showing the internal functional configuration of anIC chip 50 embedded in a mobile terminal 10 according to a secondembodiment of the present invention.

FIG. 12 is a flowchart showing a process of permitting access to anapplication allocated to a memory 52 by checking a personalidentification code input from a user input unit 11 of the mobileterminal 10.

FIG. 13 is a flowchart showing a process of controlling the right toaccess an application on the basis of the result of detectingelectromagnetic waves sent from an external apparatus 50.

FIG. 14 is a flowchart showing a process of controlling the right toaccess an application on the basis of a response from an externalapparatus 100 in response to a command sent from the IC chip 50.

FIG. 15 is a flowchart showing a process of prompting the user to inputa personal identification code to the mobile terminal in response toestablishment of a wireless link between the IC chip 50 and the externalapparatus 100 via an RF unit 51.

FIG. 16 is a diagram schematically showing the hardware configuration ofa mobile terminal 10-2 according to a third embodiment of the presentinvention.

FIG. 17 is a flowchart showing a process of omitting input of a personalidentification code by activating a program.

DETAILED DESCRIPTION OF THE INVENTION

With reference to the drawings, embodiments of the present inventionwill now be described in detail.

A. System Configuration

FIG. 1 schematically shows the hardware configuration of a mobileterminal 10 according to an embodiment of the present invention. Themobile terminal 10 is an information processing terminal, such as acellular phone or a PDA (Personal Digital Assistant), which is small andlight enough to be carried by a user.

The mobile terminal 10 shown in the diagram includes an IC chip 50 whichis driven by receiving power using wireless communication with anexternal apparatus and which has a memory function, a controller 11 forcontrolling the overall internal operation of the mobile terminal 10, auser input unit 12 formed of keys/buttons for inputting by the uservarious character strings and commands, such as a personalidentification number or password, and a display unit 13, such as an LCD(liquid Crystal Display), for displaying the processing result. Needlessto say, the mobile terminal 10 may include peripheral units and circuitcomponents other than those shown in the diagram in order to implementthe primary function of the mobile terminal 10.

A cartridge which has an IC chip with an antenna and which is formed inthe size of a credit card is generally referred to as an “IC card”.

The mobile terminal 10 can be equipped with the IC chip 50 in a varietyof different ways. For example, a semiconductor IC chip in conjunctionwith a wireless antenna may be embedded in the mobile terminal 10.Alternatively, a card-shaped IC chip, that is, an IC card, may be usedby being inserted into a card slot arranged in the mobile terminal 10.Applications for the IC chip or IC card include functions related tovalue information, such as prepaid electronic money or an electronicticket. In the following description, the functions provided by the ICchip or IC card may also be referred to “applications”.

The controller 11 is formed by integrating a CPU (Central ProcessingUnit), a ROM (Read Only Memory), a RAM (Random Access Memory), and thelike. The controller 11 executes program code stored on the ROM tocontrol various operations in the mobile terminal 10.

The IC chip 50 includes a wireless interface 14 for establishing awireless link with an external apparatus 100 and a wired interface 15for establishing a wired connection with the controller 11 of the mobileterminal 10. The wireless interface 14 uses, for example, a contactinterface standard defined by ISO 7816 or a wireless interface standarddefined by ISO 14443. The scheme for establishing a link or connectionbetween the IC chip 50 and the external apparatus 100 will be describedlater.

The IC chip 50 is manufactured by adopting, for example, a contactlessIC chip technology. The IC chip 50 is driven by electromagnetic wavesreceived from the external apparatus 100 via the wireless interface 14.In other words, when the user is not holding the mobile terminal 10above the external apparatus 100, electromagnetic waves from theexternal apparatus 100 do not reach the mobile terminal 10, and theoperation of the IC chip 50 is deactivated. In this embodiment, theright to access the interior of the IC chip 50 disappears in response tocutting off the electromagnetic waves (this will be described later).

The IC chip 50 according to this embodiment has a memory region. Such amemory region is made possible by miniaturization technology. The memoryregion is formed of a semiconductor memory, a magnetic stripe, or otherreadable/writable storage media. One or more applications are allocatedto the memory region. One example of application is value information,such as electronic money or an electronic ticket.

In this embodiment, a memory space in the IC chip 50 has a hierarchicalstructure. Each application is allocated a directory. This enablesapplications to be efficiently managed in directory units. This will bedescribed in detail later.

In order to protect value information stored in the memory space in theIC chip 50 from being used without permission or stolen, a personalidentification code such as a personal identification number or passwordis set for each application. As a result, the right to access the memoryregion is controlled in application units. For example, a personalidentification code input via the wireless interface 14 or the wiredinterface 15 is checked against a personal identification code for eachapplication, and the right to access each application is given when thecompared personal identification codes match each other (describedlater).

In this embodiment, apart from the above features in that the memoryspace has a hierarchical structure, that each application is allocated adirectory, and that a personal identification code is set for eachapplication, a personal identification code may also be set for eachdirectory. The right to access is controlled not only in applicationunits but also in directory units efficiently. The access right controlwill be described in detail later.

The external apparatus 100 is an apparatus using an applicationallocated to the memory region on the IC chip 50. The external apparatus100 includes a reader/writer 101 for establishing a wireless link withthe IC chip 50 using, for example, a contactless IC chip technology.Needless to say, the external apparatus 100 is equipped with othercircuit components and peripheral devices for performing arithmeticprocessing for specific operations, and a display unit and an input unitfor performing interactive input with the user (all of which are notshown).

The external apparatus 100 corresponds to, for example, an apparatussuch as an ATM (Automatic Teller Machine) terminal in a bank for usingelectronic money; an apparatus for processing electronic valueinformation, such as that installed at the entrance of a concert hall orthe gate of a station or airport for using electronic tickets; and anapparatus such as a safety box at an accommodation facility forperforming user identification or authentication.

According to the system configuration such as that shown in FIG. 1, theuser inputs a personal identification code from the user input unit 12of the mobile terminal 10 and disengages the lock. In some cases, theuser confirms the numerals which are input by the user and which aredisplayed on the display unit 13 and sends the input personalidentification code to the IC chip 50 embedded in the mobile terminal 10via the wired interface 15. In the IC chip 50, the personalidentification code input from the user is checked against a personalidentification code set for each application or directory on the memoryregion. If the personal identification codes match each other, the useris given the right to access the memory region allocated to thecorresponding application or directory. Alternatively, after a wirelesslink is established between the IC chip 50 in the mobile terminal 10 andthe external apparatus 100, the right to access each application iscontrolled on the basis of a personal identification code input usingthe external apparatus 100.

Wireless communication between the reader/writer 101 and the IC chip 50is implemented on the basis of, for example, the principle ofelectromagnetic induction. FIG. 2 conceptually depicts the mechanism ofwireless communication between the reader/writer 101 and the IC chip 50based on electromagnetic induction. The reader/writer 101 includes anantenna L_(RW) formed of a loop coil. Allowing electric current I_(RW)to flow through the antenna L_(RW) generates a magnetic field around theantenna L_(RW). In contrast, at the IC chip 50 side, a loop coil L_(C)is provided around the IC chip 50 in an electrical sense. At the ends ofthe loop coil L_(C) of the IC chip 50, voltage is induced by themagnetic field generated by the loop antenna L_(C) of the reader/writer101, and the induced voltage is input to a terminal of the IC chip 50connected to the ends of the loop coil L_(C).

The degree of coupling between the antenna L_(RW) of the reader/writer101 and the loop coil L_(C) of the IC chip 50 changes depending on thepositional relationship thereof. It can be regarded that, as a system, asingle transformer is provided. This can be depicted in the modeldiagram shown in FIG. 3.

The reader/writer 101 modulates the current I_(RW) flowing through theantenna L_(RW) to modulate a voltage V₀ induced in the loop coil L_(C)of the IC chip. Using this phenomenon, the reader/writer 101 sends datato the IC chip 50. The data sent in this case includes a personalidentification code, such as a personal identification number orpassword input from the user at the external apparatus 100 side, forobtaining the right to access each application or directory, and valueinformation e.g., electronic money or an electronic ticket, provided byeach application.

The IC chip 50 has a load switching function for changing a load betweenterminals of the loop coil L_(C) in accordance with data to be sent tothe reader/writer 101. When the load between the terminals of the loopcoil L_(C) changes, the impedance between the antenna terminals of thereader/writer 101 changes. This results in a fluctuation in passingcurrent I_(RW) or voltage V_(RW) of the antenna L_(RW). Demodulation ofthe fluctuation enables the reader/writer 101 to receive the data sentfrom the IC chip 50. The data received by the external apparatus 100from the IC chip 50 includes value information, such as electronic moneyor an electronic ticket, provided by each application.

B. First Embodiment

In a first embodiment of the present invention, a storage region in theIC chip 50 embedded in the mobile terminal 10 has a hierarchicalstructure using directories. Each application allocated to the memoryregion is registered in a directory at a desired hierarchical level. Forexample, highly-correlated applications, such as applications for use ina series of transactions, are registered in the same directory (andhighly-correlated sub-directories are registered in the same directory).Accordingly, the application and directory arrangement in the memoryregion is well organized, and the user can efficiently classify andorganize the applications.

Hierarchical control over the access right is implemented by setting apersonal identification code for each application, and, in addition tothis, by setting a personal identification code for each directory. Forexample, the user inputs a personal identification code corresponding toa directory. The input personal identification code is checked andauthenticated, and the user is thus given the right to access allapplications (and sub-directories) in the directory. For example, theuser obtains the right to access all applications used in a series oftransactions by inputting a personal identification code for thecorresponding directory once. Access control is thus efficientlyperformed, and the operability of the apparatus is thus improved.

FIG. 4 illustrates the internal functional configuration of the IC chip50 embedded in the mobile terminal 10 according to this embodiment.

As shown in the diagram, the IC chip 50 includes an RF unit 51 havingconnected thereto an antenna for establishing a wireless link with thereader/writer 101 of the external apparatus 100, a memory 52 having astorage region individually allocated to each application, such aspurchased-ticket information or depositor information (electronic money)at a bank, a checker 53 for comparing and checking a personalidentification code, a wired interface 54, and a controller 55 forcontrolling the components in a general manner.

The controller 55 is formed by integrating a CPU (Central ProcessingUnit), a ROM (Read Only Memory), a RAM (Random Access Memory), and thelike. The controller 55 executes program code stored on the ROM tocontrol the internal operation of the IC chip 50. Also, the controller55 communicates with the controller 11 of the mobile terminal 10 via thewired interface 54.

The memory 52 is used to allocate a storage region to one or moreapplications. The memory 52 can be implemented as any type ofreadable/writable storage medium, such as a semiconductor memory or amagnetic stripe, and is not limited to a particular device.

In this embodiment, a storage space of the memory 52 has a hierarchicalstructure using directories. Specifically, each application allocated tothe memory region can be registered in a directory at a desiredhierarchical level. For example, highly-correlated applications, such asapplications for use in a series of transactions, are registered in thesame directory (and highly-correlated sub-directories are registered inthe same directory).

Applications and directories allocated in the memory 52 each have apersona identification code defining region. A personal identificationcode can be set for each application or directory. The right to accessthe memory 52 is controlled in application units and in directory units.The hierarchical structure, the hierarchical control over the accessright, and the personal identification code defining region in thememory 52 will be described in detail later.

The checker 53 checks a personal identification code sent via the wiredinterface 54 against a personal identification code set in the memoryregion allocated to each application or directory and permits access tothe memory region if the personal identification codes match each other.Information can be read from and written to the access-permitted memoryregion by the reader/writer 101 via the RF unit 51.

The personal identification code sent via the wired interface 54 is, inshort, the personal identification code input from the user using themobile terminal 10. In other words, according to this embodiment, theuser can input a personal identification code using the user's mobileterminal 10 the user is familiar with, instead of using a user interfaceof the external apparatus 100 the user is unfamiliar with, and the inputpersonal identification code is thus checked.

FIG. 5 schematically shows an example of the configuration of the memoryspace in the memory 52 shown in FIG. 4. In the example shown in thediagram, directory 1 corresponding to a root directory includesapplication 1A and application 1B, and directory 2 that corresponds to asub-directory.

Under directory 2, application 2A, and directory 3-1 and directory 3-2corresponding to sub-directories are included.

Under directory 3-1, application 3-1A and application 3-1B are included.Under directory 3-2, application 3-2A, application 3-2B, and application3-2C are included.

As shown in FIG. 5, each application and directory allocated on thememory 52 is provided with a personal identification code definingregion. FIG. 6 schematically shows the data structure of the personalidentification code defining region. As shown in the diagram, thepersonal identification code defining region has a personalidentification number region, a region for storing the number of inputfailures, a region for setting the maximum permissible number of inputfailures, a region for selecting whether to use a personalidentification code, and an access permission flag.

When the user wants to access an application or directory, the user isprompted by the IC chip 50 to input a personal identification code. Forexample, a beep is emitted by the mobile terminal 10 or a dialog isdisplayed on the display unit 13 to prompt the user to input a personalidentification code.

Only when the personal identification code input from the user matchesthe correct personal identification code, the access permission flag isput up in the personal identification code defining region in thecorresponding application or directory, and access thereto is thuspermitted.

The access permission flag indicates whether or not the correspondingapplication or directory is accessible. The application or directoryhaving set therein the access permission flag is accessible. In adefault setting, the access permission flag in each application ordirectory for which a personal identification code is set isinaccessible. After personal identification code checking orauthentication using a private key succeeded, the access permission flagis set to allow the application or directory to become accessible. Ifthe access permission flag is continuously set, the user may suffer fromdamage in case of loss or theft of the IC chip 50 or the mobile terminal10 since the applications and directories may be used without permissionor used fraudulently. The IC chip 50 according to this embodiment has amechanism for automatically changing the accessible state to theinaccessible state, which will be described in detail later.

The record in the region for storing the number of input failures isupdated every time an incorrect personal identification code is input.When the number of input failures reaches the maximum permissible numberof input failures set in the region for setting the maximum permissiblenumber of input failures, access to the corresponding application ordirectory is denied.

In general, the number of input failures should be cleared once the usersucceeds in inputting the correct personal identification code. Thisscheme prevents a malicious user from checking every possible personalidentification code to detect the correct personal identification code.When the user inputs incorrect personal identification codes and thenumber of input failures reaches the maximum permissible number of inputfailures, input of the personal identification code fails. In this case,only a manager managing the IC chip 50 may clear the region for storingthe number of input failures. The manager may be authenticated by, forexample, a private key, which will be described later.

When a personal identification code for a directory is input and accessto the directory is thus permitted, access to all applications anddirectories below the directory may be permitted. For example, as indirectory 2 shown in FIG. 5, a personal identification code for thedirectory itself and a personal identification code for asub-directory(s) are individually arranged, thereby setting the personalidentification code for controlling the right to access onlyapplications belonging to directory 2 and the personal identificationcode for controlling the right to access only sub-directories 3-1 and3-2 below directory 2.

The region for setting whether to use a personal identification code,which is in each personal identification code defining region, is usedto select whether to set a personal identification code for the targetregion. Specifically, when a personal identification code is set, accessto the corresponding application or directory is permitted ifauthentication by the personal identification code is successful. Incontrast, an application or directory for which no personalidentification code is set does not require personal identification codechecking, and access to that application or directory is thusunrestricted.

In addition to a personal identification code, a private key may be setfor each application or directory. In addition to authentication usinginput of a personal identification code, the private key may also beused as authentication means.

FIG. 7 is a flowchart showing a process of controlling the right toaccess a directory or application in accordance with a personalidentification code input from the user.

When the user inputs a personal identification code (step S1), thechecker 53 accesses the personal identification code defining region ofan application or directory in the memory space to determine whether ornot the input personal identification code matches a personalidentification code set for the application or directory (step S2).

When the personal identification code set for the application ordirectory matches the personal identification code input from the user,the access permission flag in the personal identification code definingregion in the application or directory is set to make the application ordirectory accessible (step S3).

For example, the personal identification code input from the user usingthe user input unit 12 of the mobile terminal 10 may be sent via thewired interface 54 to the IC chip 50. Alternatively, the IC chip 50 isheld above the reader/writer 101 of the external apparatus 100, and apersonal identification code input using the user interface of theexternal apparatus 100 is sent via a wireless interface, which is the RFunit 51, to the IC chip.

FIG. 8 is a flowchart showing a process of controlling the right toaccess a directory or application using a private key in place of apersonal identification code input from the user.

Using a private key set for a desired directory or application,authentication processing is performed with a predetermined certifyingauthority (step S11).

When authentication succeeded (step S12), the access permission flag inthe personal identification code defining region of the directory orapplication is set to enable the directory or application to beaccessible (step S13).

Needless to say, the right to access an application or directory may becontrolled by a combination of checking a personal identification codeinput from the user, such as that shown in FIG. 7, and authenticationprocessing using a private key, such as that shown in FIG. 8. In such acase, an application or directory is protected from being used withoutpermission or being used fraudulently at a higher security level.

When the right to access an application or directory is controlled usinga personal identification code such as that shown in FIG. 7, a malicioususer may check every possible personal identification code to destroythe security (especially when a personal identification code having asmall number of digits is used). In this embodiment, the maximumpermissible number of inputs is set in the personal identification codedefining region. An application or directory in which the number ofinput failures reaches the maximum permissible number of inputs is setto be inaccessible, thus performing access control.

FIG. 9 is a flowchart showing a process of controlling the right toaccess an application or directory using the number of failures of inputof the personal identification code.

When the user inputs a personal identification code (step S21), thechecker 53 accesses the personal identification code defining region ofan application or directory in the memory space and determines whetheror not the input personal identification code matches a personalidentification code for the application or directory (step S22).

When the personal identification code for the application or directorymatches the personal identification code input from the user, the accesspermission flag in the personal identification code defining region isset to enable the corresponding application or directory to beaccessible (step S23).

In contrast, when the personal identification code for the applicationor directory does not match the personal identification code input fromthe user, the number of input failures in the personal identificationcode defining region is updated (step S24).

In step S25, it is determined whether or not the updated number of inputfailures has reached the maximum permissible number of inputs set in thepersonal identification code defining region (step S25).

If the number of input failures has reached the maximum permissiblenumber of inputs, the setting of the access permission flag in thepersonal identification code defining region is cleared to make thecorresponding application or directory accessible (step S26).

As a result, the act of checking every possible personal identificationcode by a malicious user is prevented.

When the user inputs incorrect personal identification codes and thenumber of input failures reaches the maximum permissible number of inputfailures, input of the personal identification code fails. In this case,only a manager managing the IC chip 50 may clear the region for storingthe number of input failures. The manager may be authenticated using,for example, a private key.

For example, if a known ATM card is lost, funds in the account areprotected when the card owner reports the loss to a bank handling theaccount to suspend any transaction using the bank account since thefunds themselves are not stored in the card. In contrast, in a case ofan IC chip having a memory region, highly-negotiable value information,such as electronic money or an electronic ticket, is stored in asemiconductor memory in the IC chip. When the lost IC chip is found by amalicious person, it is very likely that the IC chip is fraudulentlyused to cause economical damage.

In this embodiment, in response to turning off the power of the IC chip50 (or the mobile terminal 10 having the IC chip 50 embedded therein),the access permission flags in all personal identification code definingregions are cleared to automatically deny access to all applications anddirectories. If the IC chip 50 is lost, this scheme prevents the IC chip50 from being maintained as accessible and from being used fraudulentlyby a malicious user.

FIG. 10 schematically shows the mechanism for automatically setting theaccessible memory region to be inaccessible by cutting off power. Themechanism shown in the diagram is implementable using a storage mediumsuch as a semiconductor memory in which the contents of the memoryregion are maintained by receiving power supply (volatile type).

Access permission flags 201-1 to 201-n are provided, as shown in FIG. 6,in the personal identification code defining regions for applicationsand directories to which the memory region is allocated. In each of theaccess permission flags 202-1 to 201-n, contact A and contact B arearranged. The ends of contact A can be connected to the ends of contactB via switches SW1 and SW2 arranged in parallel. Opening both contact Aand contact B sets the corresponding application or directory to beaccessible, whereas shorting contact A and contact B sets thecorresponding application or directory to be inaccessible.

Access-permission-flag controllers 202-1 to 202-n are provided in the ICchip 50, and the number of access-permission-flag controllers 202-1 to202-n is equal to the number of access permission flags (that is, equalto the total number of applications and directories allocated to thememory region).

When the IC chip 50 is turned on, switch SW1 shown in the diagram isopen.

In normal operation, in order to permit access to the correspondingapplication or directory in response to input of a personalidentification code, the access-permission-flag controller 202 opensswitch SW2 in the corresponding access permission flag 201. As a result,both contact A and contact B are open, and the access permission flag201 is set to the accessible state.

In order to deny access, switch SW2 is shorted. Regardless of the stateof the other switch, that is, SW1, contact A and contact B are shorted,thus setting the access permission flag to the inaccessible state.

If the IC chip 50 (or the mobile terminal 10 having the IC chip 50embedded therein) is turned off in the accessible state in which switchSW is open, the power supply voltage is reduced from the initial voltageV_(CC) to 0 [V], and a threshold voltage V_(th) therebetween is detectedby a voltage detector 203. In response to detection of the thresholdvoltage V_(th), the power supply voltage detector 203 shorts allswitches SW1 in the access permission flags 201-1 to 201-n. Regardlessof the state of the other switches SW2, contacts A and contacts B in theaccess permission flags 201-1 to 201-n are shorted. Accordingly, allaccess permission flags are changed to the inaccessible state at thesame time.

C. Second Embodiment

FIG. 11 illustrates the internal functional configuration of an IC chip50 embedded in a mobile terminal 10 according to a second embodiment ofthe present invention.

As shown in the diagram, the IC chip 50 includes an RF unit 51 havingconnected thereto an antenna for establishing a wireless link with areader/writer 101 of an external apparatus 100, a memory 52 having astorage region individually allocated to each application, such aspurchased-ticket information or depositor information (electronic money)at a bank, a checker 53 for comparing and checking a personalidentification code, a wired interface 54, and a controller 55 forcontrolling the components in a general manner.

The controller 55 is formed by integrating a CPU (Central ProcessingUnit), a ROM (Read Only Memory), a RAM (Random Access Memory), and thelike. The controller 55 executes program code stored on the ROM tocontrol the internal operation of the IC chip 50. Also, the controller55 communicates with a controller 11 of the mobile terminal 10 via thewired interface 54.

In the memory 52, each application is allocated a region. In the exampleshown in the diagram, application A, application B, and application Care allocated individual regions on the memory 52. If necessary, apersonal identification code for identification or authentication is setfor each application. The region allocated to each application includesa personal identification code region for storing a personalidentification code.

The memory 52 can be implemented as any type of readable/writablestorage medium, such as a semiconductor memory or a magnetic stripe, andis not limited to a particular device.

In this embodiment, the checker 53 checks a personal identification codesent via the wired interface 54 against a personal identification codeset in the memory region allocated to each application. If the personalidentification codes match each other, access to the correspondingmemory region is permitted. Information can be read from or written tothe access-permitted memory region by the reader/writer 101 via the RFunit 51.

The personal identification code sent via the wired interface 54 is, inshort, the personal identification code input from the user using themobile terminal 10. In other words, according to this embodiment, theuser can input a personal identification code using the user's mobileterminal 10 the user is familiar with, instead of using a user interfaceof the external apparatus 100 the user is unfamiliar with, and the inputpersonal identification code is thus checked.

FIG. 12 is a flowchart showing a process of permitting access to anapplication allocated to the memory 52 by checking a personalidentification code input from a user input unit 11 of the mobileterminal 10. With reference to the flowchart of FIG. 12, the process ofpermitting access to the application will now be described.

The user uses the user input unit 11 of the mobile terminal 10 to inputa personal identification code (step S101).

The personal identification code input in this manner is transferred tothe checker 53 in the IC chip 50 via the wired interface 52 (step S102).

The checker 53 checks the personal identification code input via theuser input unit 12 against a personal identification code set for eachapplication allocated to the memory 52 (step S103).

As a result of checking, the user is given a right to access theapplication in which the personal identification codes match each other(step S104). A storage region allocated to the access-permittedapplication becomes accessible by the reader/writer 101 using wirelesscommunication.

Needless to say, the checker 53 not only checks a personalidentification code received via the wired interface 54 (that is, inputfrom the user using the mobile terminal 10), but also checks a personalidentification code received via the RF unit 51 (that is, input from theuser using the external apparatus 100).

When a series of transactions with the reader/writer 101 is completedafter access has been permitted, the controller 55 analyzes thecompletion and sends the analysis result via the wired interface 54.

Alternatively, after normal or abnormal termination of the transactions,the controller 55 waits for a command from the wired interface 54 orwaits for the mobile terminal 10 itself to be turned off (that is, waitsfor electromagnetic waves from the reader/writer 50 to be stopped tocause the IC chip 50 to be deactivated). In this case, after apredetermined period of time elapses, the controller 11 of the mobileterminal 10 having the IC chip 50 embedded therein performs terminationprocessing such as sending the next command to the IC chip 50 or turningoff the IC chip 50.

FIG. 13 is a flowchart showing a process of controlling the right toaccess an application on the basis of a result of detectingelectromagnetic waves sent from the external apparatus 50. In accordancewith the flowchart, control over the right to access the applicationwill now be described.

In a period during which the IC chip 50 is wirelessly connected with theexternal apparatus 100 via the RF unit 51, the controller 55 determinesat all times whether or not electromagnetic waves are received via theRF unit 51 (step S111).

In response to detecting no electromagnetic waves, it is determined thata series of transactions between the external apparatus 100 and the ICchip 50, which are wirelessly connected with each other via the RF unit51, is terminated (step S112).

The controller 55 performs termination processing to terminate thetransactions with the external apparatus 100 (step S113). As a result,the right given to the external apparatus 100 to access the applicationdisappears.

As a result, after being used, the IC chip 50 is not maintained in astate in which each application is accessible. For example, when themobile terminal 10 is lost or stolen, unauthorized use of eachapplication is prevented. The user is thus prevented from suffering fromunauthorized use or theft of value information such as electronic money.

FIG. 14 is a flowchart showing a process of controlling the right toaccess an application on the basis of a response from the externalapparatus 100 in response to a command sent from the IC chip 50. Inaccordance with the flowchart, control over the right to access theapplication will now be described.

When the controller 55 sends a command to the external apparatus 100 viathe RF unit 51 (step S121), the controller 55 determines whether or nota response in response to the command has been given (step 1S22).

When no response is received within a predetermined period of time aftersending the command (step S123), it is determined that a series oftransactions between the IC chip 50 and the external apparatus 100 hasbeen terminated normally or abnormally (step S124), and terminationprocessing to terminate the transactions with the external apparatus 100is performed (step S125).

As a result, after the wireless link with the external apparatus 100 isbroken, the IC chip 50 is not maintained in a state in which the rightto access each application is given. For example, when the mobileterminal is lost or stolen, unauthorized use of each application isprevented. The user is thus prevented from suffering from unauthorizeduse or theft of value information such as electronic money.

Prior to receiving a personal identification code via the wiredinterface 54, the IC chip 50 performs wireless communication with thereader/writer 55 via the RF unit 41 and sends/receives data to/from theexternal apparatus 100. Subsequently, when data is to be sent andreceived further, the controller 55 detects that authentication using apersonal identification code is necessary and sends the detection resultto the controller 11 of the mobile terminal 10 via the wired interface54.

FIG. 15 is a flowchart showing a process of prompting the user to inputa personal identification code to the mobile terminal in response toestablishment of a wireless link between the IC chip 50 and the externalapparatus 100 via the RF unit 51.

The controller 55 determines at all times whether or not the IC chip 50is wirelessly connected with the external apparatus 100 via the RF unit51 (step S131).

When the IC chip 50 is connected with the external apparatus 100 via theRF unit 51 and power is supplied to the IC chip 50, the controller 55notifies, via the wired interface 54, the controller 11 of the mobileterminal 10 of the necessity to input a personal identification code foraccessing the memory 52 (step S132).

In response to the notification, the mobile terminal 10 emits a beep ordisplays a dialog on the display unit 12 to prompt the user to input apersonal identification code for using a desired application (stepS133).

Accordingly, the user is reliably reminded of the necessity to input apersonal identification code when the user holds the mobile terminalabove the external apparatus to use an application. Application use inevery aspect of the user's everyday life is thus facilitated.

D. Third Embodiment

FIG. 16 schematically shows the hardware configuration of a mobileterminal 10-2 according to a third embodiment of the present invention.

The mobile terminal 10-2 shown in the diagram includes an IC chip 50which is driven by receiving power using wireless communication with anexternal apparatus and which has a memory function, a controller 11 forcontrolling the overall internal operation of the mobile terminal 10, auser input unit 12 formed of keys/buttons for inputting by the uservarious character strings and commands, such as a personalidentification number or password, and a display unit 13, such as an LCD(liquid Crystal Display), for displaying the processing result. Needlessto say, the mobile terminal 10-2 may include peripheral units andcircuit components other than those shown in the diagram in order toimplement the primary function of the mobile terminal 10-2.

The IC chip 50 includes a wireless interface 14 for establishing awireless link with an external apparatus 100 and a wired interface 15for establishing a wired connection with the controller 11 of the mobileterminal 10. The wireless interface 14 uses, for example, a contactinterface standard defined by ISO 7816 or a wireless interface standarddefined by ISO 14443 (the same as above).

The IC chip 50 is manufactured by adopting, for example, a contactlessIC card technology. The IC chip 50 is driven by electromagnetic wavesreceived from the external apparatus 100 via the wireless interface. Inother words, when the user is not holding the mobile terminal 10 abovethe external apparatus 100, electromagnetic waves from the externalapparatus 100 do not reach the mobile terminal 10, and the operation ofthe IC chip 50 is deactivated. The right to access the interior of theIC chip 50 thus disappears.

The IC chip 50 has a relatively-high-capacity memory region. Such amemory region is made possible by miniaturization technology. The memoryregion is formed of a semiconductor memory, a magnetic stripe, or otherreadable/writable storage media. One or more applications are allocatedon the memory region. An example of application includes valueinformation, such as electronic money or an electronic ticket.

In order to protect this type of value information from being usedwithout permission or stolen, the right to access each application iscontrolled using a personal identification code such as a personalidentification number or password in application units. For example, apersonal identification code input via the wireless interface 14 or thewired interface 15 is checked against a personal identification code foreach application, and the right to access each application is given whenthe personal identification codes match each other.

The mobile terminal 10-2 is formed by providing a personalidentification code storage region in the controller 11 in the mobileterminal shown in FIG. 1. A personal identification code correspondingto a program in the controller 11 is stored in advance in the personalidentification code storage region. This enables the personalidentification code corresponding to the called program to be sent tothe IC chip 50 via the wired interface. The user is thus not required tosequentially input personal identification codes in order to use thesame application stored in the IC chip 50, and the operability of theapparatus is improved.

FIG. 17 is a flowchart of a process of omitting the inputting of apersonal identification code by activating a program.

A personal identification code for each application is registered inadvance (step S141). The registered personal identification code isstored in a predetermined personal identification number storage regionin the controller 55.

When the user wants to use an application, the user selects a desiredprogram from, for example, a menu list (not shown) displayed on thedisplay unit 13 (step S142).

As a result, the controller 11 activates the selected program (stepS143).

The controller 11 reads a personal identification code for thecorresponding application in accordance with the activated program fromthe personal identification code storage region and sends the personalidentification code to the IC chip 50 via the wired interface 15 (stepS144).

As a result, in the IC chip, the personal identification code receivedvia the wired interface 15 is checked against the personalidentification code set for each application allocated to the memoryregion (step S145).

As a result of checking, the user is given the right to access theapplication in which the personal identification codes match each other(step S146). The storage region allocated to the application to whichthe access right is given is accessible by the reader/writer 101 usingwireless communication.

In such a case, the user selects a desired program from a menu screendisplayed on the display, and the corresponding program is called to themobile terminal. In response to the activated program, a personalidentification code for the corresponding application is input to the ICchip via the wired interface, and the right to access the application isthus given. The user can omit the inputting of a personal identificationcode for a desired application, and the operability of the apparatus isimproved.

With reference to the specific embodiments, the present invention hasbeen described in detail. However, it is to be understood that variousmodifications and substitutions can be made by those skilled in the artwithout departing from the scope of the present invention.

In this specification, cases have been described in which the IC chipaccording to the present invention is used by being embedded in themobile terminal such as a cellular phone or PDA. However, the scope ofthe present invention is not limited to these cases. The merits of thepresent invention are similarly achieved by, for example, using the ICchip in a stand-alone manner or by embedding the IC chip in another typeof device and using the IC chip.

In short, the present invention has been disclosed by examples forillustration purposes, and the description should not be interpreted ina limited manner. The scope of the present invention is to be determinedsolely by the appended claims.

According to the present invention, there are provided an improvedinformation storage medium which can be used be being placed in aninformation processing apparatus, such as a cellular phone or PDA(Personal Digital Assistant), an IC chip with a memory region, aninformation processing apparatus having the IC chip with the memoryregion, and a memory management method for the information storagemedium.

According to the present invention, there are provided an improvedinformation storage medium which has a memory region and whichefficiently controls the right to access each application allocated tothe memory region, an IC chip with a memory region, an informationprocessing apparatus having the IC chip with the memory region, and amemory management method for the information storage medium.

According to the present invention, the memory region on the IC chip hasa hierarchical structure. Each application allocated to the memoryregion is registered in a directory. The memory region is efficientlymanaged in directory units.

According to the present invention, a personal identification code isset for each application and directory. As the case may be, the accessright is controlled in application units or in directory units. Forexample, for all applications included in a directory, an identificationor authentication scheme having the same usability as the existing ICchip may be provided.

According to the present invention, when the IC chip or the mobileterminal having the IC chip embedded therein is lost, the right toaccess each application in the IC chip automatically disappears.Accordingly, the IC chip or the mobile terminal is protected againstfraudulent use by others.

Identification or authentication using the IC chip according to thepresent invention may be performed in conjunction with authenticationusing a private key. As a result, value information such as electronicmoney can be handled with higher security.

According to the present invention, for example, when the IC chipembedded in the mobile terminal is used as a bank card, identificationor authentication processing is performed on the user by inputting, bythe user, a personal identification number using the mobile terminal theuser is familiar with. This results in minimization of the amount ofoperation that the user has to perform using a bank's ATM terminal theuser is unfamiliar with.

According to the present invention, holding the mobile terminal towards,for example, an ATM terminal in a bank causes the ATM terminal to promptthe mobile terminal to input an appropriate personal identificationcode.

According to the present invention, a program and a personalidentification code are associated with each other in the mobileterminal. Therefore, for example, when a bank's balance-of-accountdisplaying program is called, the personal identification number isautomatically called.

1. An integrated circuit device for use with a mobile terminal apparatuscomprising: a memory region; memory allocating means for allocating thememory region for each application wherein the memory allocating meansallocates the memory region for each application in a hierarchicalmanner using a plurality of directories; first personal identificationcode setting means for setting, for each application that requiresrestricted access, allocated to the memory region, a personalidentification code for controlling the right to access eachapplication, wherein at least one application does not requirerestricted access and does not require the personal identification code;second personal identification code setting means for setting, for eachdirectory in the memory region that requires restricted access, anadditional personal identification code for controlling the right toaccess each application allocated to the directory associated with theadditional personal identification code; wireless interface means forenabling the integrated circuit device to perform wireless communicationwith an external apparatus via an antenna; user input means forinputting, from a user, a personal identification code using the mobileterminal apparatus; and accessibility/inaccessibility managing means formanaging each application allocated to the memory region to beaccessible/inaccessible, wherein the accessibility/inaccessibilitymanaging means sets each application for which the personalidentification code is set to be inaccessible in a default setting, and,in response to the personal identification code input from a usermatching the set personal identification code, sets the correspondingapplication to be accessible, and, in response to the personalidentification code input from the user matching the set additionalpersonal identification code, sets all applications in the correspondingdirectory to be accessible, and wherein theaccessibility/inaccessibility managing means sets all applications to beinaccessible when a predetermined period of time elapses without aresponse from the external apparatus.
 2. An integrated circuit deviceaccording to claim 1, wherein, a sub-directory is under a firstdirectory of the plurality of directories, a first application is not inthe first directory, and the first application is not in anysub-directory under the first directory, and in response to the personalidentification code input from the user matching the additional personalidentification code set for the first directory, theaccessibility/inaccessibility managing means sets all applications inthe first directory and all applications in the sub- directory to beaccessible.
 3. An integrated circuit device according to claim 1,further comprising private key setting means for setting, for eachapplication allocated to the memory region, a private key forauthentication, wherein the accessibility/inaccessibility managing meanssets the inaccessible application to be accessible when the inaccessibleapplication is mutually authenticated by a predetermined certificateauthority using the private key.
 4. An integrated circuit deviceaccording to claim 1, further comprising access denying means forcausing each accessible application to be inaccessible in response tocutting off the power of the device.
 5. An integrated circuit deviceaccording to claim 1, further comprising: number-of-input-failurestoring means for storing the number of failures of input of thepersonal identification code for each application allocated to thememory region; and maximum-permissible-number-of-input-failure settingmeans for setting the maximum permissible number of failures of input ofthe personal identification code for each application allocated to thememory region, wherein the accessibility/inaccessibility managing meanssets the application in which the number of input failures has reachedthe maximum permissible number of inputs to be inaccessible.
 6. Anintegrated circuit device according to claim 5, further comprisingnumber-of-input failure initializing means for clearing the number ofinput failures stored in the number-of-input-failure storing means by amanager mutually authenticated by a predetermined certificate authority.7. An integrated circuit device according to claim 5 further comprisingnumber-of-input-failure initializing means for clearing the number ofinput failures stored in the number-of-input-failure storing means by amanager mutually authenticated by a predetermined certificate authority.8. An information processing apparatus comprising an integrated circuitdevice for use with a mobile terminal apparatus including; a memoryregion; memory allocating means for allocating the memory region foreach application wherein the memory allocating means allocates thememory region for each application in a hierarchical manner using aplurality of directories; personal identification code setting means forsetting, for each application, that requires restricted access,allocated to the memory region and for each of the plurality ofdirectories allocated to the memory region, a personal identificationcode for controlling the right to access each application and directory,wherein at least one application does not require restricted access anddoes not require the personal identification code; wireless interfacemeans for enabling the integrated circuit device to perform wirelesscommunication with an external apparatus via an antenna; user inputmeans for inputting, from a user, a personal identification code usingthe mobile terminal apparatus; and accessibility/inaccessibilitymanaging means for managing each application allocated to the memoryregion to be accessible/inaccessible, wherein theaccessibility/inaccessibility managing means sets each application forwhich the personal identification code is set to be inaccessible in adefault setting, and, in response to the personal identification codeinput from a user matching the set personal identification codecorresponding to either the application or a directory, wherein theapplication is under the directory in accordance with the hierarchicalmanner, sets the corresponding application to be accessible, and whereinthe accessibility/inaccessibility managing means sets all applicationsto be inaccessible when a predetermined period of time elapses without aresponse from the external apparatus.
 9. An information processingapparatus according to claim 8, wherein the information processingapparatus is an information storage medium.
 10. An informationprocessing apparatus according to claim 9, wherein the informationstorage medium is a storage medium in the form of an IC card.
 11. Amemory management method for an information storage device for use witha mobile terminal apparatus, comprising: a memory allocating step ofallocating a memory region for each application in a hierarchical mannerusing a plurality of directories; a personal identification code settingstep of setting, for each application, that requires restricted access,allocated to the memory region and for a first directory of theplurality of directories, a personal identification code for controllingthe right to access each application, wherein at least one applicationdoes not require restricted access and does not require the personalidentification code; a wireless communication step of enabling theinformation storage device to perform wireless communication with anexternal apparatus via an antenna; user input step for inputting, from auser, a personal identification code using the mobile terminalapparatus; and an accessibility/inaccessibility managing step ofmanaging each application allocated to the memory region to beaccessible/inaccessible, wherein, in the accessibility/inaccessibilitymanaging step, each application for which the personal identificationcode is set, is set to be inaccessible in a default setting, and, inresponse to the personal identification code input from a user matchingthe set personal identification code corresponding to the applicationor, if the application is under the first directory, corresponding tothe first directory, the corresponding application is set to beaccessible, and wherein the accessibility/inaccessibility managing meanssets all applications to be inaccessible when a predetermined period oftime elapses without a response from the external apparatus.
 12. Amemory management method for an information storage device according toclaim 11, wherein, some of the plurality of directories aresub-directories of others of the plurality of directories.
 13. A memorymanagement method for an information storage device according to claim12, wherein, in the accessibility/inaccessibility managing step, inresponse to the fact that the personal identification code input fromthe user matches the personal identification code set for one of thedirectories, all applications and sub-directories under the directoryare set to be accessible.
 14. A memory management method for aninformation storage device according to claim 11, further comprising aprivate key setting step of setting, for each application allocated tothe memory region, a private key for authentication, wherein, in theaccessibility/inaccessibility managing step, the inaccessibleapplication is set to be accessible when the inaccessible application ismutually authenticated by a predetermined certificate authority usingthe private key.
 15. A memory management method for an informationstorage device according to claim 12, further comprising a private keysetting step of setting, for each application and directory allocated tothe memory region, a private key for authentication, wherein, in theaccessibility/inaccessibility managing step, the inaccessibleapplication or directory is set to be accessible when the inaccessibleapplication or directory is mutually authenticated by a predeterminedcertificate authority using the private key.
 16. A memory managementmethod for an information storage device according to claim 11, furthercomprising an access denying step of causing each accessible applicationto be inaccessible in response to cutting off the power of theinformation storage device by returning to the default setting.
 17. Amemory management method for an information storage device according toclaim 12, further comprising an access denying step of causing eachaccessible application and directory to be inaccessible in response tocutting off the power of the information storage device by returning tothe default setting.
 18. A memory management method for an informationstorage device according to claim 14, further comprising: anumber-of-input-failure storing step of storing the number of failuresof input of the personal identification code for each application anddirectory allocated to the memory region; and amaximum-permissible-number-of-input-failure setting step of setting themaximum permissible number of failures of input of the personalidentification code for each application and directory allocated to thememory region, wherein, in the accessibility/inaccessibility managingstep, the application in which the number of input failures has reachedthe maximum permissible number of inputs is set to be inaccessible. 19.A memory management method for an information storage device accordingto claim 12, further comprising: a number-of-input-failure storing stepof storing the number of failures of input of the personalidentification code for each application and directory allocated to thememory region; and a maximum-permissible-number-of-input-failure settingstep of setting the maximum permissible number of failures of input ofthe personal identification code for each application and directoryallocated to the memory region, wherein, in theaccessibility/inaccessibility managing step, the application ordirectory in which the number of input failures has reached the maximumpermissible number of inputs is set to be inaccessible.
 20. A memorymanagement method for an information storage device according to claim19, further comprising a number-of-input-failure initializing step ofclearing the number of input failures stored in thenumber-of-input-failure storing step by a manager mutually authenticatedby a predetermined certificate authority.
 21. A memory management methodfor an information storage device according to claim 18 furthercomprising a number-of-input-failure initializing step of clearing thenumber of input failures stored in the number-of-input-failure storingstep by a manager mutually authenticated by a predetermined certificateauthority.
 22. A semiconductor integrated circuit device adapted to beembedded in a mobile terminal apparatus comprising: a memory regionincluding a plurality of directories arranged in a hierarchy; one ormore applications allocated to the memory region, wherein the right toaccess each application, that requires restricted access, iscontrollable by a personal identification code corresponding to theapplication or by a different personal identification code correspondingto any directory under which the application is allocated, wherein atleast one application does not require restricted access and does notrequire the personal identification code; a wireless interface forenabling the semiconductor integrated circuit device to perform wirelesscommunication with an external apparatus; a wired interface forperforming wired communication with the semiconductor integrated circuitdevice; user input means for inputting, from a user, a personalidentification code using the mobile terminal apparatus; checking meansfor transferring the entered personal identification code input from theuser input means via the wired interface to the semiconductor integratedcircuit device and for checking the entered personal identification codewith the personal identification code for each application and directoryallocated to the memory region; and access-right control means forgiving, as a result of checking by the checking means, a right to theuser to access the application in which the entered personalidentification code matches the personal identification codecorresponding to the application or the different personalidentification code corresponding to any directory under which theapplication is allocated, and wherein the access-right control meanssets all applications to be inaccessible when a predetermined period oftime elapses without a response from the external apparatus.
 23. Asemiconductor integrated circuit device according to claim 22,comprising a wireless interface for performing wireless communicationand a wired interface for performing wired communication.
 24. Asemiconductor integrated circuit device for use with a mobile terminalapparatus comprising: a memory region for storing one or moreapplications and directories, wherein the right to access eachapplication and directory, that requires restricted access, iscontrolled by a personal identification code, and the memory region ismanaged by directory so that applications are allocated on the memoryregion in a hierarchical structure, wherein at least one applicationdoes not require restricted access and does not require the personalidentification code; a wired interface for performing wiredcommunication with the mobile terminal apparatus; user input means forinputting, from a user, a personal identification code using the mobileterminal apparatus; checking means for receiving a personalidentification code input from a user input means and transferred to thesemiconductor integrated circuit device via the wired interface and forchecking the personal identification code with a personal identificationcode for each application and directory allocated to the memory region,wherein the user input means is implemented in the mobile terminalapparatus; an access-right control means for giving, according to theresult of checking by the checking means, a right to a user to accessthe application in which the personal identification codes match eachother, and wherein the access-right control means sets all applicationsto be inaccessible when a predetermined period of time elapses without aresponse from external apparatus; and a wireless interface for enablingthe external apparatus and the semiconductor integrated circuit deviceto perform wireless communication with each other.